Fantastic write-up that I'll be using at work sometime. We have "security experts" who are definitely security absolutists who sometimes can't see the forest for the trees.
Fantastic write-up that I'll be using at work sometime.
We have "security experts" who are definitely security absolutists who sometimes can't see the forest for the trees.
It does depend on your application needs, but for many B2B applications, or anything that deals with SMBs, TOTP and quality security policies add significant business value.
It does depend on your application needs, but for many B2B applications, or anything that deals with SMBs, TOTP and quality security policies add significant business value.
I've recently done the same thing to prove email ownership but to avoid having explicit user accounts for letting someone come back to update their application form on this system. I've since made...
My app implements auth purely email-basis: there are no passwords; you enter your email to to log in and you'll be sent a magic link.
I've recently done the same thing to prove email ownership but to avoid having explicit user accounts for letting someone come back to update their application form on this system. I've since made it a 30 minute server generated TOTP code that gets emailed so the user doesn't end up with a tab for requesting the email and then another tab from the magic link.
There was a reason for avoiding user accounts for these people but It'd take more background on the system to be able to explain why =/
Fantastic write-up that I'll be using at work sometime.
We have "security experts" who are definitely security absolutists who sometimes can't see the forest for the trees.
Highly recommend implementing RFC6238-compliant TOTP or WebAuthn over SMS, if you get the opportunity.
It does depend on your application needs, but for many B2B applications, or anything that deals with SMBs, TOTP and quality security policies add significant business value.
I've recently done the same thing to prove email ownership but to avoid having explicit user accounts for letting someone come back to update their application form on this system. I've since made it a 30 minute server generated TOTP code that gets emailed so the user doesn't end up with a tab for requesting the email and then another tab from the magic link.
There was a reason for avoiding user accounts for these people but It'd take more background on the system to be able to explain why =/
It seems people are getting dumber as technology advances. Weird effect...